Debian Bug report logs -
#506350
CVE-2008-5141: allows local users to overwrite arbitrary files via a symlink attack
Reported by: Raphael Geissert <atomo64@gmail.com>
Date: Thu, 20 Nov 2008 20:36:03 UTC
Severity: important
Tags: security
Found in version flamethrower/0.1.8-1
Fixed in versions flamethrower/0.1.8-2, flamethrower/0.1.8-1+etch4
Done: dann frazier <dannf@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, dann frazier <dannf@debian.org>
:
Bug#506350
; Package flamethrower
.
(Thu, 20 Nov 2008 20:36:06 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: flamethrower
Version: 0.1.8-1
Severity: important
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was published for
flamethrower.
CVE-2008-5141[1]:
> flamethrower in flamethrower 0.1.8 allows local users to overwrite
> arbitrary files via a symlink attack on a /tmp/multicast.tar.#####
> temporary file.
Please note that a more careful inspection of the script reveals that even
more insecure paths are used, not just the one mentioned in the CVE.
Searching for /tmp and $tmp_dir and the other vars taking $tmp_dir as their
value will reveal the rest.
If you fix the vulnerability please also make sure to include the CVE id in
the changelog entry.
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5141
http://security-tracker.debian.net/tracker/CVE-2008-5141
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#506350
; Package flamethrower
.
(Fri, 21 Nov 2008 18:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to dann frazier <dannf@debian.org>
:
Extra info received and forwarded to list.
(Fri, 21 Nov 2008 18:06:04 GMT) (full text, mbox, link).
Message #8 received at 506350@bugs.debian.org (full text, mbox, reply):
Thanks for the report. Does this patch look sufficient to you?
--- flamethrower-0.1.8.orig/bin/flamethrower
+++ flamethrower-0.1.8/bin/flamethrower
@@ -9,6 +9,7 @@
use strict;
use File::Path;
+use File::Temp;
use Getopt::Long;
use lib "/usr/lib/flamethrower";
@@ -23,7 +24,7 @@
my $version_number = "INS_VERSION";
my $conf_file = '/etc/flamethrower/flamethrower.conf';
my $transport = "udp-receiver";
-my $tmp_dir = "/tmp/.flamethrower.$$";
+my $tmp_dir = File::Temp::tempdir("/tmp/flamethrower.XXXXXX");
my $version_info = <<"EOF";
@@ -283,13 +284,16 @@
#
my $udp_cmd;
my $tar_cmd;
+ my $tar_fh;
+ my $tar_file;
+ ($tar_fh, $tar_file) = File::Temp::tempfile("/tmp/multicast.tar.XXXXXX");
if($verbose) {
- $udp_cmd = "udp-receiver $udp_receiver_options --file /tmp/multicast.tar.$$";
- $tar_cmd = "tar $tar_opts -C $dir -f /tmp/multicast.tar.$$";
+ $udp_cmd = "udp-receiver $udp_receiver_options --file $tar_file";
+ $tar_cmd = "tar $tar_opts -C $dir -f $tar_file";
} else {
- $udp_cmd = "udp-receiver $udp_receiver_options --file /tmp/multicast.tar.$$ 2>/dev/null";
- $tar_cmd = "tar $tar_opts -C $dir -f /tmp/multicast.tar.$$";
+ $udp_cmd = "udp-receiver $udp_receiver_options --file $tar_file 2>/dev/null";
+ $tar_cmd = "tar $tar_opts -C $dir -f $tar_file";
}
print "$udp_cmd\n" if($verbose);
@@ -298,7 +302,8 @@
print "$tar_cmd\n" if($verbose);
!system($tar_cmd) or die("FAILED: $tar_cmd");
- unlink("/tmp/multicast.tar.$$");
+ close $tar_fh;
+ unlink("$tar_file");
}
--
dann frazier
Message sent on
to Raphael Geissert <atomo64@gmail.com>
:
Bug#506350.
(Fri, 21 Nov 2008 18:06:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, dann frazier <dannf@debian.org>
:
Bug#506350
; Package flamethrower
.
(Sun, 23 Nov 2008 23:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Raphael Geissert" <atomo64@gmail.com>
:
Extra info received and forwarded to list. Copy sent to dann frazier <dannf@debian.org>
.
(Sun, 23 Nov 2008 23:21:04 GMT) (full text, mbox, link).
Message #16 received at 506350@bugs.debian.org (full text, mbox, reply):
Hi,
Sorry for the delay.
2008/11/21 dann frazier <dannf@debian.org>:
> Thanks for the report. Does this patch look sufficient to you?
>
> --- flamethrower-0.1.8.orig/bin/flamethrower
> +++ flamethrower-0.1.8/bin/flamethrower
> @@ -9,6 +9,7 @@
>
> use strict;
> use File::Path;
> +use File::Temp;
> use Getopt::Long;
>
> use lib "/usr/lib/flamethrower";
> @@ -23,7 +24,7 @@
> my $version_number = "INS_VERSION";
> my $conf_file = '/etc/flamethrower/flamethrower.conf';
> my $transport = "udp-receiver";
> -my $tmp_dir = "/tmp/.flamethrower.$$";
> +my $tmp_dir = File::Temp::tempdir("/tmp/flamethrower.XXXXXX");
You could even omit the template and let tempdir create a directory
with a random name under $TMPDIR (instead of hard-coding /tmp).
Same as for the other calls. Other than that it does look good.
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
P. J. O'Rourke - "Never wear anything that panics the cat."
Reply sent
to dann frazier <dannf@debian.org>
:
You have taken responsibility.
(Sat, 29 Nov 2008 02:27:09 GMT) (full text, mbox, link).
Notification sent
to Raphael Geissert <atomo64@gmail.com>
:
Bug acknowledged by developer.
(Sat, 29 Nov 2008 02:27:09 GMT) (full text, mbox, link).
Message #21 received at 506350-close@bugs.debian.org (full text, mbox, reply):
Source: flamethrower
Source-Version: 0.1.8-2
We believe that the bug you reported is fixed in the latest version of
flamethrower, which is due to be installed in the Debian FTP archive:
flamethrower_0.1.8-2.diff.gz
to pool/main/f/flamethrower/flamethrower_0.1.8-2.diff.gz
flamethrower_0.1.8-2.dsc
to pool/main/f/flamethrower/flamethrower_0.1.8-2.dsc
flamethrower_0.1.8-2_all.deb
to pool/main/f/flamethrower/flamethrower_0.1.8-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 506350@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
dann frazier <dannf@debian.org> (supplier of updated flamethrower package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 21 Nov 2008 10:46:08 -0700
Source: flamethrower
Binary: flamethrower
Architecture: source all
Version: 0.1.8-2
Distribution: unstable
Urgency: low
Maintainer: dann frazier <dannf@debian.org>
Changed-By: dann frazier <dannf@debian.org>
Description:
flamethrower - Multicast file distribution utility
Closes: 506350
Changes:
flamethrower (0.1.8-2) unstable; urgency=low
.
* Fix /tmp symlink attack vector. Closes: #506350 (CVE-2008-5141)
* Rebuilding with current toolchain would cause executables to
be installed in /usr/local/bin. Fix this by supplying an
appropriate SITEPREFIX.
* Don't package /usr/lib/flamethrower/auto subtree
* Lintian cleanup:
- Remove bogus (empty) line in lsb section of initscript
- Use $(CURDIR) instead of $(PWD) in rules file, suggested by lintian
- Don't ignore clean errors from make
- Update Standards-Version to 3.8.0
- Swap binary-arch/binary-indep rules
- List debhelper under Build-Depends instead of Build-Depends-Indep
Checksums-Sha1:
2eab7dd9fa9e9cdc36e0db4e5bc529585b668134 972 flamethrower_0.1.8-2.dsc
b8b9ba71192b0ca2292e31d4a8bd599fb9a09a1e 3433 flamethrower_0.1.8-2.diff.gz
ba11ec90657bd71b4fd15d5e457514a36703d5b8 17000 flamethrower_0.1.8-2_all.deb
Checksums-Sha256:
52af61ea68e412ce6541fbc2ef528981788d7547411b62e39aa5e725ceab919a 972 flamethrower_0.1.8-2.dsc
367039552533206f4160cccb6aff2e88d53891785e234c2fe459e203e3502be8 3433 flamethrower_0.1.8-2.diff.gz
0528121c3e4bc5cdba033e7f9bf383c415f7ef58e127e95e693755a0cc4cb884 17000 flamethrower_0.1.8-2_all.deb
Files:
457edac4335566c9984989dc4c861323 972 admin optional flamethrower_0.1.8-2.dsc
c4d4a9e9eb94386ebf77a2666eef08d5 3433 admin optional flamethrower_0.1.8-2.diff.gz
3d094d6abd87ca216cc1d5b7b404b20c 17000 admin optional flamethrower_0.1.8-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJMKDEhuANDBmkLRkRAqM4AJ0UW+ExlZzAQ6Zg0A8kwK0jyqNZgQCfaWW6
KpZywHnfEWVk6QQKKPdSGGU=
=GrgU
-----END PGP SIGNATURE-----
Reply sent
to dann frazier <dannf@debian.org>
:
You have taken responsibility.
(Fri, 05 Dec 2008 07:57:04 GMT) (full text, mbox, link).
Notification sent
to Raphael Geissert <atomo64@gmail.com>
:
Bug acknowledged by developer.
(Fri, 05 Dec 2008 07:57:04 GMT) (full text, mbox, link).
Message #26 received at 506350-close@bugs.debian.org (full text, mbox, reply):
Source: flamethrower
Source-Version: 0.1.8-1+etch4
We believe that the bug you reported is fixed in the latest version of
flamethrower, which is due to be installed in the Debian FTP archive:
flamethrower_0.1.8-1+etch4.diff.gz
to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch4.diff.gz
flamethrower_0.1.8-1+etch4.dsc
to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch4.dsc
flamethrower_0.1.8-1+etch4_all.deb
to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 506350@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
dann frazier <dannf@debian.org> (supplier of updated flamethrower package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 21 Nov 2008 11:19:16 -0700
Source: flamethrower
Binary: flamethrower
Architecture: source all
Version: 0.1.8-1+etch4
Distribution: stable-security
Urgency: high
Maintainer: dann frazier <dannf@debian.org>
Changed-By: dann frazier <dannf@debian.org>
Description:
flamethrower - Multicast file distribution utility
Closes: 506350
Changes:
flamethrower (0.1.8-1+etch4) stable-security; urgency=high
.
* Fix /tmp symlink attack vector. Closes: #506350 (CVE-2008-5141)
* Rebuilding with current toolchain would cause executables to
be installed in /usr/local/bin. Fix this by supplying an
appropriate SITEPREFIX.
Files:
4a880e477706f57bcfb806eb46a81922 598 admin optional flamethrower_0.1.8-1+etch4.dsc
f6263743cb41f4f75ab9f4dbc76a71a5 3138 admin optional flamethrower_0.1.8-1+etch4.diff.gz
fbc0c1b237503a9d88521b444e4319e0 16880 admin optional flamethrower_0.1.8-1+etch4_all.deb
04e1b6c5b4e72879e8aa69fcccb0491f 23485 admin optional flamethrower_0.1.8.orig.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJM3AChuANDBmkLRkRAoMwAKCTdGlyebzWC3bEXpmvDfuZug36EwCdHlei
gOM0LVrNeXMInytSXParaRQ=
=etot
-----END PGP SIGNATURE-----
Reply sent
to dann frazier <dannf@debian.org>
:
You have taken responsibility.
(Wed, 17 Dec 2008 21:19:47 GMT) (full text, mbox, link).
Notification sent
to Raphael Geissert <atomo64@gmail.com>
:
Bug acknowledged by developer.
(Wed, 17 Dec 2008 21:19:48 GMT) (full text, mbox, link).
Message #31 received at 506350-close@bugs.debian.org (full text, mbox, reply):
Source: flamethrower
Source-Version: 0.1.8-1+etch4
We believe that the bug you reported is fixed in the latest version of
flamethrower, which is due to be installed in the Debian FTP archive:
flamethrower_0.1.8-1+etch4.diff.gz
to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch4.diff.gz
flamethrower_0.1.8-1+etch4.dsc
to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch4.dsc
flamethrower_0.1.8-1+etch4_all.deb
to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 506350@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
dann frazier <dannf@debian.org> (supplier of updated flamethrower package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 21 Nov 2008 11:19:16 -0700
Source: flamethrower
Binary: flamethrower
Architecture: source all
Version: 0.1.8-1+etch4
Distribution: stable-security
Urgency: high
Maintainer: dann frazier <dannf@debian.org>
Changed-By: dann frazier <dannf@debian.org>
Description:
flamethrower - Multicast file distribution utility
Closes: 506350
Changes:
flamethrower (0.1.8-1+etch4) stable-security; urgency=high
.
* Fix /tmp symlink attack vector. Closes: #506350 (CVE-2008-5141)
* Rebuilding with current toolchain would cause executables to
be installed in /usr/local/bin. Fix this by supplying an
appropriate SITEPREFIX.
Files:
4a880e477706f57bcfb806eb46a81922 598 admin optional flamethrower_0.1.8-1+etch4.dsc
f6263743cb41f4f75ab9f4dbc76a71a5 3138 admin optional flamethrower_0.1.8-1+etch4.diff.gz
fbc0c1b237503a9d88521b444e4319e0 16880 admin optional flamethrower_0.1.8-1+etch4_all.deb
04e1b6c5b4e72879e8aa69fcccb0491f 23485 admin optional flamethrower_0.1.8.orig.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJM3AChuANDBmkLRkRAoMwAKCTdGlyebzWC3bEXpmvDfuZug36EwCdHlei
gOM0LVrNeXMInytSXParaRQ=
=etot
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 15 Jan 2009 07:29:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:34:24 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.